Why would someone want to hack your website, you may ask.
There's a multitude of reasons why hackers would want to hack your website. In the early days of the Internet, hackers may do so just to boost their ego or to boast that they were capable of doing so - its a case of "Look at what I can do!".
Nowadays, the motives are much more nefarious. These include:
To deface your website - maybe to make a political statement or to proof a point.
To knock your website offline - maybe because of business competition or ideology differences.
To steal data from your website - user databases, financial records and/or customer credit card data for financial gains.
To hold your website to ransom - maybe a ransomware attack.
To take control of your server to relay spam mails.
To use your server to host malicious files for phishing, ransomware, key-loggers or software virus distribution.
To command your server as part of a botnet for distributed denial-of-service (DDoS) attacks.
To use your server to mine for Bitcoins.
To test their vulnerability scanning tools - in preparation for a much bigger hack campaign.
These days, hacking is regularly performed by automated scripts written to scour the internet in an attempt to exploit known website security issues in software.
So, here are 9 steps to protect your website from hackers:
1. Keep your software up to date
It may seem obvious, but ensuring you keep all software up-to-date is vital in keeping your site secure. This includes both the server operating system and any software you may be running on your website such as a Content Management System or databases. Since software is created by people it is inherently flawed and contains errors or bugs. You should know the components that your website relies on to operate, and keep tabs on the known issues, and releases of updates and patches.
2. Protect against Cross-Site Scripting (XSS) attacks
Cross-site scripting (XSS) attacks inject malicious JavaScript into your pages, which then runs in the browsers of your users, and can change page content, or steal information to send back to the attacker. You must not allow any injection of active JavaScript content into your webpages, so as to ensure website security.
3. Watch out for SQL injection
SQL injection attacks occurs when a hacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You must always use parameterised queries and avoid standard Transact SQL as this would allow hackers to insert rogue code.
Another powerful tool is to implement Content Security Policy (CSP). CSP is a header that your server can return which tells the browser to limit how and what JavaScript is executed in the page, for example to disallow running of any scripts not hosted on your domain or disallow inline JavaScript.
4. Double validation of form data
Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.
5. Avoid file uploads
Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded, however innocent it may look, could contain a script that when executed on your server therefore completely opens up your website.
If you must allow upload of files, do it with with extreme caution. You must remove executable permissions for the file so that it cannot be executed, in order to ensure website security.
6. Separate database server
If you can afford, it would be advisable to maintain separate database server and web servers, as it offers better security to the data.
7. Use HTTPS
HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees that users are talking to the server they expect, and that nobody else can intercept or change the content they're seeing in transit.
Notably Google will boost you up in the search rankings if you use HTTPS, giving this an SEO benefit too. Insecure HTTP is on its way out, and now's the time to upgrade, if you have not already done so.
8. Check your passwords
Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.
Implement rigorous password policies and ensure that they are followed. Follow recommended password length of more than 8 characters with a mix of upper and lower case alphabets, numerals and special characters. Do not use dictionary words. The longer the password, the stronger is the website security.
If you need to store passwords for user authentication, ensure that you always store them in encrypted form. Use a hashing algorithm, and also salt the hash to make it more secure.
9. Website security tools
Once you think you have done all you can then it's time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.
Some of the tools or services that you can use:
To monitor and alert you on changes to your website without having to install any software: e-Lock's ScanMyPage service
To monitor your website uptime: UpTimeRobot
To detect hidden malware on your website: Google Safe Browsing
Penetration testing services: e-Lock Web and Mobile Application Penetration Testing Services
For file level monitoring and alert within your web server: e-Lock's WebALARM File Integrity Monitoring solution